GRCWatch
Sign inStart free trial

PCI DSS 8.6.2: Prohibit Hardcoded Passwords in Code & Configuration

Hardcoded passwords in scripts, configuration files, and source code create critical security vulnerabilities that expose your entire system to unauthorized access. PCI DSS 8.6.2 requires organizations to eliminate this dangerous practice and implement secure credential management instead. This control is essential for protecting system and application accounts across your infrastructure.

What this means

Passwords for system and application accounts must never be embedded directly in scripts, configuration files, source code, or any code repository. This includes development, testing, and production environments. When passwords are hardcoded, they become discoverable through code reviews, version control history, backup files, and reverse engineering—significantly increasing your breach risk. Instead, organizations must use secure credential management solutions, environment variables, vaults, or identity and access management systems to store and retrieve credentials at runtime.

How to comply

  1. 1.Audit all scripts, configuration files, and source code repositories to identify hardcoded passwords, connection strings, API keys, and other credentials.
  2. 2.Implement a centralized secrets management solution (e.g., HashiCorp Vault, AWS Secrets Manager, Azure Key Vault) to store and rotate credentials securely.
  3. 3.Refactor applications and scripts to retrieve credentials from the secrets management system at runtime rather than reading hardcoded values.
  4. 4.Use environment variables for sensitive configuration data in non-production environments to separate secrets from code.
  5. 5.Establish a code review process that specifically checks for hardcoded passwords before code is merged or deployed.
  6. 6.Configure version control systems to scan for and prevent commits containing credentials using pre-commit hooks or secret scanning tools.
  7. 7.Document credential management procedures and train developers on secure credential handling practices.
  8. 8.Regularly scan repositories and backups to detect any accidentally committed credentials and remove them from history.

Evidence auditors look for

  • Secrets management system configuration showing credential storage outside of code and configuration files
  • Code review checklist or automated scanning tools that flag hardcoded credentials before deployment
  • Git hooks, pre-commit configurations, or CI/CD pipeline rules preventing credential commits
  • Environment variable definitions separating secrets from application code
  • Credential rotation logs from your secrets management platform
  • Code audit reports demonstrating zero hardcoded passwords in repositories
  • Developer security training documentation covering credential management requirements
  • Infrastructure-as-Code (IaC) templates using dynamic credential injection rather than static values

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically scans your code repositories and configuration files to detect hardcoded credentials, flag them in your compliance dashboard, and track remediation progress—eliminating manual audits for PCI DSS 8.6.2.

See how GRCWatch handles this control automatically

Start free trial

Related controls

PCI DSS 8.1 - User Access ControlPCI DSS 8.2 - User AuthenticationPCI DSS 8.3 - Multi-Factor AuthenticationPCI DSS 2.1 - Configuration Standards